ColdFusion Security hot fix APSB13-13

Issue

ColdFusion 10, ColdFusion 9.0.2, ColdFusion 9.0.1, and ColdFusion 9.0 are affected with the vulnerabilities mentioned in the security bulletin APSB13-13. This article provides fixes for the security issues mentioned in the bulletin, along with the installation instructions.

See important security hotfix-related notes published in previous security hot fixes here.

ColdFusion 10

In ColdFusion 10, use the hot fix installer to apply this update (ColdFusion 10 Update 10). The ColdFusion 10 Update 10 is a cumulative update. That is, it includes all the bug fixes from the previous updates of ColdFusion 10.

Important note:

If you have not applied the ColdFusion 10 Mandatory Update, then apply it first before applying this update. This step is not required if ColdFusion 10 build number is greater than 282462.

ColdFusion 9

Follow the instructions that apply to your version of ColdFusion. Do not apply these fixes to any beta or prerelease version of ColdFusion.

Definition for ColdFusion-Home:

In the following deployment options, {ColdFusion-Home} indicates the following:

For Server installation: {ColdFusion-Home}

For Multiserver installation:{JRun-Home}/servers/{YourServer}/cfusion-ear/cfusion-war/

For J2EE installation: {cfusion-ear-Home}/cfusion-war/

Note

Hot fix files contain some of the previous security hot fixes.

In ColdFusion 9.0.x, do not remove any jar files that begin with chf from {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory.

CFIDE-902.zip, CFIDE-901.zip, CFIDE-9.zip, and WEB-INF.zip included in the hot fixes contain only part of the CFIDE and WEB-INF files. Do not rename present CFIDE and WEB-INF directories.

Bugs 3544895 and 3540876 reported in the previous security hot fix (APSB13-10) for ColdFusion 9.0.1 have been fixed in this hot fix.

Section 1

Use the following instructions if you have previously applied security hot fix APSB13-10.

Revision:

July 25, 2013: Bug #3574419 reported in this security hot fix has been addressed. This issue impacts only enterprise-manager functionality in ColdFusion administrator. Only ColdFusion 9 and ColdFusion 9.0.1 are affected with this bug, For more details refer bug 3574419.

To apply the fix for this issue, download the zip file according to the version of ColdFusion.